certmanager: dns challenge is not limited to base domain

The current ClusterIssuer 'letsencrypt-prod' is not limited to the base domain. So certmanager is trying a dns challenge for all domains.

https://github.com/camptocamp/devops-stack/blob/master/modules/aks/azure/values.tmpl.yaml#L82

We should use a selector.